1
00:00:00,390 --> 00:00:06,870
OK, so the next thing I know we can try is actually SMTP, enumeration, SMPTE, S.P.C.A., a simple

2
00:00:06,870 --> 00:00:11,340
mail transfer protocol and everyone's eleven point twenty five is pretty much poor.

3
00:00:11,340 --> 00:00:14,690
If you remember from the networking section, it's for sending email.

4
00:00:14,850 --> 00:00:20,280
We can potentially gather information, you know, if that port is actually open so we can connect to

5
00:00:20,280 --> 00:00:25,890
it like with Incat and then actually send it out commands to see if, like, you know, a specific user

6
00:00:25,890 --> 00:00:26,550
exists or not.

7
00:00:26,580 --> 00:00:27,900
So let's go ahead and try that out.

8
00:00:27,990 --> 00:00:29,580
So we're back on a colonics machine.

9
00:00:29,580 --> 00:00:34,500
So let's go ahead and actually try this SBB enumeration manually.

10
00:00:34,510 --> 00:00:40,830
So let's try so ank and then we're going to do a Dash N.V. and then we're going to do our address one

11
00:00:40,830 --> 00:00:43,590
or two to one six eight five six one want four.

12
00:00:43,740 --> 00:00:48,710
That is the address for a disposable machine and let's just put it twenty five and then we can hit enter.

13
00:00:48,720 --> 00:00:55,050
So we see that we're connected over SMTP, which is twenty five as we know, because it is an open port.

14
00:00:55,260 --> 00:01:01,670
So what we can do is to verify some commands that we are Afgooye and then something like Rup.

15
00:01:01,680 --> 00:01:07,740
If you see something like this come up, then we know that you know that this user is actually there.

16
00:01:07,740 --> 00:01:15,690
But if we try something else like we are Afgooye, I don't know, I don't live here.

17
00:01:16,380 --> 00:01:21,630
You know, I was going to say, hey, user is unknown, but this is a good way that you can actually

18
00:01:21,630 --> 00:01:25,920
numerary users on a system outside of doing this manually.

19
00:01:25,920 --> 00:01:28,710
One way that we can do it is we can use a script.

20
00:01:28,710 --> 00:01:30,570
So remember, I talked to you guys about scripting.

21
00:01:30,600 --> 00:01:35,460
This is where it can kind of come in handy, use your brain to kind of like actually find ways to automate

22
00:01:35,460 --> 00:01:35,760
things.

23
00:01:35,910 --> 00:01:37,440
So I have a script.

24
00:01:37,440 --> 00:01:40,350
It's called SMTP API.

25
00:01:40,680 --> 00:01:43,440
So it actually goes through and does this process for us.

26
00:01:43,590 --> 00:01:46,980
As you know, we start with this command for our Python scripts.

27
00:01:47,430 --> 00:01:49,890
We import Soki and policies.

28
00:01:50,100 --> 00:01:54,990
And then this is like, you know, if we do it wrong, like if we don't have the right number of arguments

29
00:01:54,990 --> 00:01:57,000
are going to tell you how to actually use it correctly.

30
00:01:57,120 --> 00:02:03,860
So to use it, as you can see, is Essence PWI and then followed by spacing and a username.

31
00:02:03,900 --> 00:02:07,440
This is Connect to the socket, you know, point twenty five on the machine.

32
00:02:07,560 --> 00:02:08,560
So you have to go in.

33
00:02:08,580 --> 00:02:10,800
You can also make that a variable too, if you wanted to.

34
00:02:10,980 --> 00:02:13,170
For the purposes of this, we just made it a string.

35
00:02:13,310 --> 00:02:15,300
So, so we know exactly which one I want to go to.

36
00:02:15,480 --> 00:02:20,310
Then it turns out the banner like Winnik, when it connects to it and it sends out the verifier come

37
00:02:20,310 --> 00:02:20,570
in.

38
00:02:20,580 --> 00:02:22,380
You've got to make sure you have the space right here, too.

39
00:02:22,380 --> 00:02:23,190
It's very important.

40
00:02:23,190 --> 00:02:27,230
And then it's going to store the result here and then print it out and then close the connection.

41
00:02:27,450 --> 00:02:29,380
So let's actually go ahead and try this out.

42
00:02:29,400 --> 00:02:35,820
So when you make it, you ought to also have like a siege mod plus X Command and then somebody PWI just

43
00:02:35,820 --> 00:02:36,870
to make it executable.

44
00:02:37,020 --> 00:02:41,830
So you just do that slash TV type while it's true and then bam.

45
00:02:41,850 --> 00:02:47,010
Now we know a way that we can automate this so we don't have to actually go through and connect and

46
00:02:47,010 --> 00:02:48,210
type in the command.

47
00:02:48,390 --> 00:02:51,150
We could just type we just run the script and give you a username.

48
00:02:51,150 --> 00:02:52,800
You can even do like a list of user names.

49
00:02:52,800 --> 00:02:56,820
If you wanted to see you feel free to trick that script, you know, for your own usage.

50
00:02:57,060 --> 00:03:00,290
OK, so another tool is the Nessa's vulnerability scanner.

51
00:03:00,630 --> 00:03:03,080
Now it's a vulnerability scanner.

52
00:03:03,090 --> 00:03:04,140
It looks for vulnerabilities.

53
00:03:04,350 --> 00:03:09,480
You allows you to scan the entire network and discover what vulnerabilities actually exist on each computer

54
00:03:09,480 --> 00:03:09,840
on it.

55
00:03:09,990 --> 00:03:16,080
So this is a paid tool, but they have a free version that actually limits the number of IPS that you

56
00:03:16,080 --> 00:03:16,830
can scan.

57
00:03:16,980 --> 00:03:22,800
But you can still go ahead and grab that and use that for, like, you know, practicing some scanning

58
00:03:22,800 --> 00:03:24,520
in your own lab at home.

59
00:03:24,660 --> 00:03:26,160
Another vulnerability scanner.

60
00:03:26,160 --> 00:03:31,080
If you don't want to pay for Nessus and you want something fully functional and free, open voice is

61
00:03:31,080 --> 00:03:31,770
a good option.

62
00:03:31,770 --> 00:03:33,330
It's open source vulnerability scanner.

63
00:03:33,330 --> 00:03:34,410
It's free to the public.

64
00:03:34,410 --> 00:03:38,310
It's not as robust and it won't catch as much as Nessus would.

65
00:03:39,120 --> 00:03:45,240
But it can be a solid vulnerability scanner if you set it up right and use it correctly.

66
00:03:45,390 --> 00:03:50,310
Now, I will reiterate, it is very painful to keep that thing updated and actually functioning.

67
00:03:50,310 --> 00:03:56,430
And the user interface is not intuitive at all, but it's still a vulnerability scanner, I think that

68
00:03:56,430 --> 00:04:01,410
is said to have about maybe like half or like a third of the vulnerabilities that Nessa's covers.

69
00:04:01,650 --> 00:04:04,940
But it's still free and so that you could use on your own.

70
00:04:05,190 --> 00:04:11,280
OK, so a lot of passive and active reconnaissance tools that we can actually use to gather information

71
00:04:11,280 --> 00:04:15,150
about, you know, systems on a network or just a network from the outside.

72
00:04:15,150 --> 00:04:16,010
So what's next?

73
00:04:16,020 --> 00:04:19,530
So now that we know how to do that, we're going to start launching some attacks.

74
00:04:19,530 --> 00:04:25,740
You know, kind of like one attack so far, but we can start launching attacks against these discover

75
00:04:25,740 --> 00:04:26,490
vulnerabilities.

76
00:04:26,760 --> 00:04:30,540
So I appreciate you listening in as far and I see you guys in the next section.